ecs-task-definition-user-for-host-mode-check
Checks for unauthorized permissions in your latest active Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode
set to host. The rule is NON_COMPLIANT for task definitions with NetworkMode
set to host, and container definitions of privileged
set to false or empty, and user
set to root or empty.
Important
We recommend that you remove elevated privileges from Amazon ECS task definitions. When privileged
is true, the container is given elevated permissions on the host container instance (similar to the root
user). When running tasks that use the host
network mode, do not run containers using the root user (UID 0) for better security. As a security best practice, always use a non-root user.
Identifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK
Resource Types: AWS::ECS::TaskDefinition
Trigger type: Configuration changes
Amazon Web Services Region: All supported Amazon regions except Middle East (UAE), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary) Region
Parameters:
- SkipInactiveTaskDefinitions (Optional)
- Type: boolean
-
Boolean flag to not check INACTIVE Amazon EC2 task definitions. If set to 'true', the rule won't evaluate INACTIVE Amazon EC2 task definitions. If set to 'false', the rule will evaluate the latest revision of INACTIVE Amazon EC2 task definitions.
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.